Apply Concepts of Confidentiality, Integrity, and Availability to Security
The C-I-A triad (also referred to as I-C-A) forms the basis of information security (see the following figure). The triad is comprised of three fundamental information security concepts:
As with any triangular shape, all three sides depend on each other (think of a three-sided pyramid or a three-legged stool) to form a stable structure. If one piece falls apart, the whole thing falls apart.
Confidentiality prevents the unauthorized use or disclosure of information, ensuring that only those who are authorized to access information can do so. Privacy is a closely related concept that’s most often associated with personal data. Various U.S. and international laws exist to protect the privacy (confidentiality) of personal data.
Personal data most commonly refers to personally identifiable information (PII) or personal health information (PHI). PII includes names, addresses, Social Security numbers, contact information (in some cases), and financial or medical data. PHI consists of many of the same data elements as PII, but also includes an individual patient’s medical records and healthcare payment history. Personal data, in more comprehensive legal definitions (particularly in Europe), may also include race, marital status, sexual orientation or lifestyle, religious preference, political affiliations, and any number of other unique personal characteristics that may be collected or stored about an individual.
The U.S. Health Insurance Portability and Accountability Act (HIPAA), discussed later in this chapter, defines PHI as protected health information. In its more general context, PHI refers to personal health information.
The objective of privacy is the confidentiality of personal data.
Integrity safeguards the accuracy and completeness of information and processing methods. It ensures that
- Unauthorized users or processes don’t make modifications to data.
- Authorized users or processes don’t make unauthorized modifications to data.
- Data is internally and externally consistent, meaning a given input produces an expected output.
Availability ensures that authorized users have reliable and timely access to information, and associated systems and assets, when needed. Availability is easily one of the most overlooked aspects of information security. In addition to Denial of Service attacks, other threats to availability include single points of failure, inadequate capacity (such as storage, bandwidth, and processing) planning, equipment malfunctions, fail-safe control mechanisms, and business interruptions or disasters.